If you use Splunk Cloud, you do not have filesystem access to your Splunk Cloud deployment. You must file a Support ticket to add a custom search command to your deployment.

The tasks to add a custom command to your deployment are:

Create or edit the commands.conf file in a local directory.

Add a new stanza to the commands.conf file that describes the command.

Restart Splunk Enterprise.

Add a new stanza to the local commands.conf file

Edit the local commands.conf file, to add a stanza for the command.

Each stanza in the commands.conf file represents the configuration for a specific search command. The following example shows a stanza that enables your custom command script:

[<stanza_name>]
chunked=true
filename = <string>

The stanza_name is the keyword that is used in searches to invoke the command. The stanza_name is also the name of the search command. Search command names must be lowercase and consist only of alphanumeric (a-z and 0-9) characters. Command names must be unique. The stanza_name cannot be the same as any other custom or built-in commands.

The chunked=true attribute specifies that the command uses the Version 2 protocol.

The filename attribute specifies the name of your custom command script.
The filename attribute also specifies the location of the custom command script.

For example, to create the custom command "fizbin", you create a stanza in the commands.conf file.

[fizbin]
chunked = true
filename = fizbin.py

Other attributes that you can use to describe the custom command are explained later in this topic.

Describe the command (Version 2 protocol)

Version 2 of the Custom Search Command protocol dynamically determines if the command is a generating command, a streaming command, or a command that generates events.

Additionally, an authentication token is always sent to search commands that use the protocol.

The attributes that you can specify with the protocol are described in the following table.

Attribute

Description

command.arg.<N>

Additional command-line arguments to use when invoking the custom search command script. Environment variables such as $SPLUNK_HOME, are substituted.

filename

The name of the script to run when the custom search command is used.

is_risky

When users click a link or type a URL that loads a search into Splunk Web, if the search contains risky commands a warning appears. This warning does not appear when users create ad hoc searches. Specify this attribute if your custom search command is risky. Examples of build-in risky commands are delete and dump. To determine if your custom command is risky, see Safeguards for risky commands in the Securing Splunk Enterprise manual.

maxchunksize

The maximum size chunk, the size of metadata plus the size of the body, that the external command can produce. If the command tries to produce a chunk that is larger than the maxchunksiz value, the command is terminated.

maxwait

The maximum number of seconds the custom search command can pause before producing output.

Read more about these configuration attributes in the commands.conf.spec topic in the Admin Manual.

Describe the command (Version 1 protocol)

Some of the attributes you can use to describe your custom command using the Version 1 protocol specify the type of command.

You need to understand the differences between the types of commands. There are four broad categorizations for all the search commands:

Distributable streaming

Centralized streaming

Generating

Transforming

For a comprehensive explanation about the command types, see Types of commands in this manual. For a complete list of the built-in commands that are in each of these types, see Command types in the Search Reference.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »